UNAIR NEWS – The recent exposure of a syndicate in Surabaya–Sidoarjo that sold personal data for online gambling transactions involving billions of rupiah has once again raised alarms over Indonesia’s cybersecurity. The case highlights not only data breaches but also the weak enforcement of the Personal Data Protection Law (PDP Law).
Dr. Faizal Kurniawan, S.H., M.H., LL.M., a law lecturer at Universitas Airlangga, said the main problem lies in the gap between legal provisions and on-the-ground practices. Although Article 20 of the PDP Law requires data controllers to protect information from misuse and illegal access, weak oversight continues to allow such crimes to thrive.
“The law clearly guarantees every person the right to data protection. Yet sensitive information, including banking customers’ records, is still being sold to fuel digital crimes such as online gambling,” he said.
Law enforcement still reactive
Kurniawan noted that enforcement of personal data violations remains reactive. Authorities typically act only after major cases surface, rather than taking preventive measures.
“Article 67 of the PDP Law provides for up to five years in prison and fines of up to Rp5 billion. But in practice—like in the Cambridge Analytica case—legal sanctions often come too late, after the social damage has already occurred,” he explained.
He added that cases involving cross-border networks, such as online gambling syndicates, make prosecution even more difficult. Without strong international cooperation, such groups will continue exploiting legal loopholes.
Strengthening digital safeguards
On the security front, Kurniawan stressed the need to apply the principle of privacy by design outlined in Article 20 of the PDP Law. Banks and digital platforms, he said, must strengthen safeguards with encryption, multi-factor authentication, access controls, internal audits, and incident response plans.
“In the event of a breach, data controllers are required to notify owners within 72 hours. This is the minimum step needed so victims can act quickly,” he said.
Role of individuals and public awareness
Kurniawan added that individuals must also take responsibility for protecting their personal data. Avoiding phishing scams, withholding OTPs, and securing PINs are basic but essential steps.
“The PDP Law allows people to request copies of their personal data. Citizens should not remain passive—they have the right to demand transparency from institutions managing their data,” he said.
He stressed that public education must be strengthened so people understand their rights and responsibilities in the digital age.
Long-term strategic steps
As a long-term strategy, Kurniawan recommended accelerating the creation of an independent supervisory authority, setting minimum technical standards, and enhancing public literacy as well as forensic capacity.
“Without strong regulation and public awareness, similar cases will keep repeating,” he concluded.
Author: Rosali Elvira Nurdiansyarani
Editor: Khefti Al Mawalia